Industry Urges NIST to Preserve Key Attributes in Updating its Cybersecurity Framework | Wiley Rein LLP
Public comments on the update of the National Institute of Standards and Technology (NIST), the framework for improving critical infrastructure cybersecurity (CSF), highlight the interest of the public and private sectors in this basic document of fundamental guidance. NIST is now awarding the 130 comments it received in response to its request for information (RFI) related to a possible CSF update. RFI also called for comments on NIST’s National Supply Chain Cybersecurity Improvement Initiative (NIICS), a new public-private partnership that will try to address supply chain risk management issues. of cybersecurity (C-SCRM), as well as other NIST C-SCRM efforts. .
A diverse group of organizations participated in this process, including trade associations, industry coalitions, individual companies, standardization organizations, security providers, and federal agencies such as the Cybersecurity and Infrastructure Agency, the Federal Security Administration. Aviation and the U.S. Department of Energy. The comments provide a window into stakeholder concerns and issues that NIST will address as it progresses.
Many commenters spoke of the usefulness of the CSF as a flexible, voluntary, risk-based document that can be applied in any number of use cases. To this end, the registry reflects a general agreement that is largely based on the CSF and that significant changes would impair its usability and longevity. Numerous organizations provided details on how they implement the CSF to improve their security stance.
Although the record shows a general agreement on the usefulness of the CSF, commentators did look for several changes to the CSF. Several communications and technology partnerships sought specific changes, such as updating the information references that NIST provides to its catalog of information references and mapping the CSF with additional frameworks, regulations, and standards. Some individual companies, as well as some information technology business associations, recommended that NIST provide more clarity on its levels of implementation, which are intended to provide context on how an organization considers cybersecurity risk and its processes for manage this risk.
A smaller group of commentators sought more substantial changes to the CSF. For example, some commenters looked for significant changes in CSF’s C-SCRM treatment, including changes to CSF categories and subcategories. However, many of the commenters who addressed C-SCRM discouraged NIST from building a new CSF-independent C-SCRM framework. Other commentators, including financial sector organizations, called on NIST to add a governance function to the CSF to make it more comprehensive. In addition, a couple of federal agencies asked NIST to incorporate zero-confidence concepts into the CSF.
NIST plans to hold additional workshops to gain more insights into possible changes to the CSF. NIST is also likely to publish public drafts of the updated CSF, which would provide additional opportunities for organizations to provide feedback. Private companies should firmly consider participating in this procedure to ensure that NIST takes their actions and interests into account when reviewing this key cybersecurity document.